Remind

#Scope# We recognize the important role that a community of security researchers and our user community play in helping to keep Remind and our customers secure. If you think you found a security issue on any of the domains we have listed, please inform us via our program on HackerOne using the guidelines below.

Remind is launching its first bug bounty program. Thank you for your contributions and patience as we build it out. We will expand the bug bounty program in the future if proven successful.

#Program Rules#

• Under no circumstances should any of our users be made aware that you are running a test. e.g. do not join any teachers classes or message a real user. You may create test organizations, test teacher accounts, create classes in order to carry out your tests.
• Automated security testing against the site is not allowed.
• If private customer data is accessed during your security testing, please notify us immediately. Additionally, while testing, take measures to avoid accessing customer data or affecting customer experiences.
• Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
• Localize all your tests to the account you are using to test. Don't affect other users.
• Findings derived from social engineering (e.g. phishing, vishing, smishing) are not allowed.
• Recently disclosed 0day vulnerabilities are not eligible. We need time to patch our systems just like everyone else - please give us two weeks before reporting these types of issues.
• Bugs that have already been submitted by another user, that we are already aware of or that have been classified as not applicable will be ineligible for a bounty.
• Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• When testing, please include the string "hackerone test" at the end of your user agent so we can more easily identify traffic that is coming from the bug bounty program.
• Follow HackerOne's disclosure guidelines.
• Contacting our support team ([email protected]) about the status of a HackerOne report will result in an immediate disqualification for a bounty for that report.
• Do not attempt to bypass or circumvent our AWS WAF. If you need to get around the WAF for testing, please contact us at [email protected] with details about what you are attempting to test, and we can work with you to get whitelisted.
• Please limit requests to 50 requests per second to avoid service disruption.

#In-Scope Vulnerability Classes#

• Cross-site Scripting (XSS)
• Server-Side Request Forgery (SSRF)
• SQL Injection
• Server-side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Access Control Issues (Insecure Direct Object Reference issues, etc)
• Exposed Administrative Panels that don't require login credentials
• Directory Traversal Issues
• Local File Disclosure (LFD)

#Out-of-scope Vulnerabilities#

• Missing autocomplete attributes.
• Missing http-only cookie flags on cookies or third party cookies
• SSL/TLS scan reports (this means output from sites such as SSL Labs) and SSL/TLS version related vulnerabilities
• Issues related to networking protocols or industry standards
• XSS in files not developed by Remind, e.g. third-party ads
• Missing security-related HTTP headers which do not lead directly to a vulnerability.
• Non critical issues that affect only outdated browsers.
• Denial of Service vulnerabilities (DoS)
• Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated).
• Banner grabbing issues (figuring out what web server we use, etc.).
• Password complexity related vulnerabilities
• We have a known issue where passwords can be changed without entering the existing password. This is in the process of being resolved.
• "Scanner output" or scanner-generated reports
• "Advisory" or "Informational" reports that do not include any Remind-specific testing or context
• Vulnerabilities requiring physical access to the victim's unlocked device
• Bugs that do not represent any security risk - these should be reported to [email protected].
• Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.
• Bugs requiring exceedingly unlikely user interaction.
• Disclosure of public information and information that does not present significant risk.
• Vulnerabilities that Remind determines to be an accepted risk will not be eligible for a paid bounty.
• Attempting to compromise our endpoints by brute force scanning is out of scope.

Thank you for helping keep Remind and our users safe!